Drago Rotaru and Tim Wood University of Bristol, KU Leuven * - - PowerPoint PPT Presentation

Dragoș Rotaru imec-Cosic, Dept. Electrical Engineering 1

INDOCRYPT 2019

MArBled Circuits: Mixing Arithmetic and Boolean Circuits with Active Security*

Dragoș Rotaru and Tim Wood

University of Bristol, KU Leuven

* https://ia.cr/2019/207

Dragoș Rotaru imec-Cosic, Dept. Electrical Engineering 2

What is multiparty computation?

Dragos Rotaru 2

Goal: Compute F(a, b, c)

a c b

Dragoș Rotaru imec-Cosic, Dept. Electrical Engineering 3

How can we achieve MPC?

Secret Sharing Garbled Circuits Fast networks (LAN) Slow Networks (WAN) Arithmetic/Boolean circuits Boolean circuits Low depth, many AND gates* Large depth, few AND gates*

Dragoș Rotaru imec-Cosic, Dept. Electrical Engineering 4

Why switch between?

Secret Sharing Garbled Circuits Fast networks (LAN) Slow Networks (WAN) Arithmetic/Boolean circuits Boolean circuits Low depth, many AND gates* Large depth, few AND gates* Sint A, x, b y = A * x + b E = argmax(y)

Dragoș Rotaru imec-Cosic, Dept. Electrical Engineering 5

Why switch between?

Secret Sharing Garbled Circuits Fast networks (LAN) Slow Networks (WAN) Arithmetic/Boolean circuits Boolean circuits Low depth, many AND gates* Large depth, few AND gates* Sint A, x, b y = A * x + b E = argmax(y) E = argmax(y)

Dragoș Rotaru imec-Cosic, Dept. Electrical Engineering 6

Can we switch between?

ABY [DSZ’15]

Yao GC – mod 2 A (GMW mod 2𝑙 ) B (GMW mod 2)

Dragoș Rotaru imec-Cosic, Dept. Electrical Engineering 7

Can we switch between?

ABY [DSZ’15]

Yao GC – mod 2

ABY3 [MR’18]

A (GMW mod 2𝑙 ) B (GMW mod 2)

Dragoș Rotaru imec-Cosic, Dept. Electrical Engineering 8

Can we switch between?

ABY [DSZ’15]

A (GMW mod 2𝑙 ) B (GMW mod 2) Yao GC – mod 2

ABY3 [MR’18]

Dragoș Rotaru imec-Cosic, Dept. Electrical Engineering 9

What about dishonest majority?

Dragoș Rotaru imec-Cosic, Dept. Electrical Engineering 10

What about dishonest majority?

SPDZ WRK’17

Dragoș Rotaru imec-Cosic, Dept. Electrical Engineering 11

What about dishonest majority?

SPDZ WRK’17 Naive

>110K ANDs

Dragoș Rotaru imec-Cosic, Dept. Electrical Engineering 12

What about dishonest majority?

SPDZ WRK’17

>110K ANDs >110K ANDs

Naive

Dragoș Rotaru

Naive

imec-Cosic, Dept. Electrical Engineering 13

What about dishonest majority?

SPDZ WRK’17

<1K ANDs 0 ANDs

Dragoș Rotaru imec-Cosic, Dept. Electrical Engineering 14

How general is this?

SPDZ SPDZ-BMR WRK’17 HSS’17 𝐆𝑞 SPDZ 𝐚2𝑙

Dragoș Rotaru imec-Cosic, Dept. Electrical Engineering 15

How general is this?

SPDZ SPDZ-BMR WRK’17 HSS’17 𝐆𝑞 SPDZ 𝐚2𝑙

Very fast using DEFKSV’19 tricks

Dragoș Rotaru imec-Cosic, Dept. Electrical Engineering 16

How general is this?

SPDZ SPDZ-BMR WRK’17 HSS’17 𝐆𝑞 SPDZ 𝐚2𝑙

Dragoș Rotaru imec-Cosic, Dept. Electrical Engineering 17

How general is this?

SPDZ SPDZ-BMR WRK’17 HSS’17 𝐆𝑞 SPDZ 𝐚2𝑙 Any honest majority protocol

Dragoș Rotaru imec-Cosic, Dept. Electrical Engineering 18

Our focus

SPDZ SPDZ-BMR WRK’17 HSS’17 𝐆𝑞 SPDZ 𝐚2𝑙

Dragoș Rotaru imec-Cosic, Dept. Electrical Engineering 19

Malicious MPC protocols

Preprocessing phase Online phase

Inputs PKC SPDZ, TinyOT, BDOZa, MASCOT, WRK’17, HSS’17, …

Dragoș Rotaru imec-Cosic, Dept. Electrical Engineering 20

Let’s talk about

SPDZ 𝐆𝑞

Dragoș Rotaru imec-Cosic, Dept. Electrical Engineering 21

SPDZ online phase

𝑦1 𝑦2 𝑦3 𝑦 α𝑦 γ(𝑦)2 γ(𝑦)1 γ(𝑦)3

+ + + +

= =

α1 α2 α3 α

+ +

=

SPDZ 𝐆𝑞

Dragoș Rotaru imec-Cosic, Dept. Electrical Engineering 22

SPDZ online phase

𝑦1 + 𝑧1 𝑦2 + 𝑧2 𝑦3 + 𝑧3 𝑦 + 𝑧

α(𝑦 + 𝑧)

γ x 2 + γ y 2 γ x 1 + γ y 1

+ +

+

=

=

α1 α2 α3 α

+ +

=

+

SPDZ 𝐆𝑞

γ x 3 + γ y 3

Dragoș Rotaru imec-Cosic, Dept. Electrical Engineering 23

SPDZ online phase

SPDZ 𝐆𝑞

X𝐵

←

Input

X𝐵

Retrieve a random mask

Dragoș Rotaru imec-Cosic, Dept. Electrical Engineering 24

SPDZ online phase

SPDZ 𝐆𝑞

X𝐵

←

Input

X𝐵

Dragoș Rotaru imec-Cosic, Dept. Electrical Engineering 25

SPDZ online phase

SPDZ 𝐆𝑞

x

←

x

X𝐵

←

Open Input

X𝐵

Dragoș Rotaru imec-Cosic, Dept. Electrical Engineering 26

SPDZ online phase

SPDZ 𝐆𝑞

x

←

x

X𝐵

←

Open Input

X𝐵

MAC Check

Dragoș Rotaru imec-Cosic, Dept. Electrical Engineering 27

SPDZ online phase

SPDZ 𝐆𝑞

z x y

←



x

←

x

X𝐵

←

Open Input XOR

X𝐵

Retrieve a Beaver triple

Dragoș Rotaru imec-Cosic, Dept. Electrical Engineering 28

SPDZ online phase

SPDZ 𝐆𝑞

z x y

←



x

←

x

X𝐵

←

Open Input XOR

X𝐵

MAC Check

Dragoș Rotaru imec-Cosic, Dept. Electrical Engineering 29

Let’s talk about

BMR[MASCOT] 𝐆2

Dragoș Rotaru imec-Cosic, Dept. Electrical Engineering 30

SPDZ online phase

BMR 𝐆2

B

AND AND

A C

A B C

Dragoș Rotaru imec-Cosic, Dept. Electrical Engineering 31

SPDZ online phase

SPDZ-BMR 𝐆2

B

AND AND

A C

Λ𝑑 ←C + λ𝑑 Λ𝐵 ← A + λ𝑏 Λ𝐶 ← B + λ𝑐

MAC Check BMR 𝐆2

Dragoș Rotaru imec-Cosic, Dept. Electrical Engineering 32

SPDZ online phase

BMR 𝐆2

B

AND AND

A C

Λ𝑑 ←C + λ𝑑 Λ𝐵 ← A + λ𝑏 Λ𝐶 ← B + λ𝑐

MAC Check

Inputs - cheap XOR - free Mod p arithmetic - some AND gates

Dragoș Rotaru imec-Cosic, Dept. Electrical Engineering 33

Main idea:

SPDZ 𝐆𝑞 BMR 𝐆2

x x x

Dragoș Rotaru imec-Cosic, Dept. Electrical Engineering 34

Main idea:

SPDZ 𝐆𝑞 BMR 𝐆2

x x r x

Dragoș Rotaru imec-Cosic, Dept. Electrical Engineering 35

Main idea:

SPDZ 𝐆𝑞 BMR 𝐆2

x x r x

• x-r

SPDZ – MAC Check Open

Dragoș Rotaru imec-Cosic, Dept. Electrical Engineering 36

Main idea:

SPDZ 𝐆𝑞 BMR 𝐆2

x x r x

• x-r

+ r x

Dragoș Rotaru imec-Cosic, Dept. Electrical Engineering 37

Main idea:

SPDZ 𝐆𝑞 BMR 𝐆2

x x r x

• x-r

+ r x

We formalize this, plug in any LSSS and GC.

Dragoș Rotaru imec-Cosic, Dept. Electrical Engineering 38

Introducing daBits

Dragoș Rotaru imec-Cosic, Dept. Electrical Engineering 39

Introducing daBits

SPDZ 𝐆𝑞 BMR 𝐆2

𝒄𝑩 𝒄𝑪 𝒄𝑫

Dragoș Rotaru imec-Cosic, Dept. Electrical Engineering 40

Introducing daBits

SPDZ 𝐆𝑞 BMR 𝐆2

𝒄𝑪 𝒄𝑫

SPDZ Input BMR Input

𝒄𝑩

Dragoș Rotaru imec-Cosic, Dept. Electrical Engineering 41

Introducing daBits

SPDZ 𝐆𝑞 BMR 𝐆2

𝒄𝑩

SPDZ Input BMR Input

𝒄𝑩 𝒄𝑪 𝒄𝑪 𝒄𝑫 𝒄𝑫

Dragoș Rotaru imec-Cosic, Dept. Electrical Engineering 42

Introducing daBits

SPDZ 𝐆𝑞 BMR 𝐆2

𝒄𝑩

SPDZ Open BMR Open

𝒄𝑩 𝒄𝑪 𝒄𝑪 𝒄𝑫 𝒄𝑫

Dragoș Rotaru imec-Cosic, Dept. Electrical Engineering 43

Introducing daBits

SPDZ 𝐆𝑞 BMR 𝐆2 𝒄𝑩𝒄𝑪𝒄𝑫 SPDZ XOR BMR XOR 𝒄𝑩𝒄𝑪𝒄𝑫

Dragoș Rotaru imec-Cosic, Dept. Electrical Engineering 44

Introducing daBits

SPDZ 𝐆𝑞 BMR 𝐆2

𝒄𝑩𝒄𝑪𝒄𝑫

SPDZ Open BMR Open

𝒄𝑩𝒄𝑪𝒄𝑫

Dragoș Rotaru imec-Cosic, Dept. Electrical Engineering 45

daBit cost

SPDZ BMR[MASCOT]

Dragoș Rotaru imec-Cosic, Dept. Electrical Engineering 46

SVM Example in MP-SPDZ

Dragoș Rotaru imec-Cosic, Dept. Electrical Engineering 47

SVM Example in MP-SPDZ

Dragoș Rotaru imec-Cosic, Dept. Electrical Engineering 48

daBit 2.0

Dragoș Rotaru imec-Cosic, Dept. Electrical Engineering 49

daBit 2.0

➢ Inspired from DEFKSV’19 𝐚2𝑙

𝐆2

Dragoș Rotaru imec-Cosic, Dept. Electrical Engineering 50

daBit 2.0

➢ Inspired from DEFKSV’19 𝐚2𝑙

𝐆2

𝐆𝑞

𝐆2

Dragoș Rotaru imec-Cosic, Dept. Electrical Engineering 51

daBit 2.0

➢ Inspired from DEFKSV’19 𝐚2𝑙

𝐆2

𝐆𝑞

𝐆2

𝐚2𝑙

𝐆2

Local mod 2

Dragoș Rotaru imec-Cosic, Dept. Electrical Engineering 52

daBit 2.0

𝐆𝑞

𝐆2

SPDZ[p].Random() 𝒄1 𝒄𝑜 𝒔1 𝒔𝑡 … … 𝒄1

𝑩

𝒄𝑜

𝑩

𝒔1

𝑩

𝒔𝑡

𝑩

… …

mod 2 mod 2 mod 2 mod 2

𝒄1

𝑪

𝒄𝑜

𝑪

𝒔1

𝑪

𝒔𝑡

𝑪

… …

mod 2 mod 2 mod 2 mod 2

TinyOT.Input()

Dragoș Rotaru imec-Cosic, Dept. Electrical Engineering 53

daBit 2.0

𝐆𝑞

𝐆2

SPDZ[p].Random() 𝒄1 𝒄𝑜 𝒔1 𝒔𝑡 … … 𝒄1

𝑩

𝒄𝑜

𝑩

𝒔1

𝑩

𝒔𝑡

𝑩

… …

mod 2 mod 2 mod 2 mod 2

𝒄1

𝑪

𝒄𝑜

𝑪

𝒔1

𝑪

𝒔𝑡

𝑪

… …

mod 2 mod 2 mod 2 mod 2

TinyOT.Input() 𝒄1

𝑩 mod 2

𝒄1

𝑪 mod 2

xor 𝒄𝟐 xor 1 Take s linear combinations 𝒄1 𝒄𝑜 … 𝒄1 𝒄𝑜 … and 𝒔𝑗 𝒔𝑗

Dragoș Rotaru imec-Cosic, Dept. Electrical Engineering 54

daBit 2.0

𝐆𝑞

𝐆2

SPDZ[p].Random() 𝒄1 𝒄𝑜 𝒔1 𝒔𝑡 … … 𝒄1

𝑩

𝒄𝑜

𝑩

𝒔1

𝑩

𝒔𝑡

𝑩

… …

mod 2 mod 2 mod 2 mod 2

𝒄1

𝑪

𝒄𝑜

𝑪

𝒔1

𝑪

𝒔𝑡

𝑪

… …

mod 2 mod 2 mod 2 mod 2

TinyOT.Input() 𝒄1

𝑩 mod 2

𝒄1

𝑪 mod 2

xor 𝒄𝟐 xor 1 Take s linear combinations 𝒄1 𝒄𝑜 … 𝒄1 𝒄𝑜 … and 𝒔𝑗 𝒔𝑗 N-party case more tricky

Dragoș Rotaru imec-Cosic, Dept. Electrical Engineering 55

daBit 2.0

𝐆𝑞

𝐆2

SPDZ[p].Random() 𝒄1 𝒄𝑜 𝒔1 𝒔𝑡 … … Take s linear combinations 𝒄1 𝒄𝑜 … 𝒔𝑗 𝜷1 𝜷𝑜 𝒄1 𝒄𝑜 … 𝒔𝑗 𝜷1 𝜷𝑜

?

mod p mod 2

Dragoș Rotaru imec-Cosic, Dept. Electrical Engineering 56

daBit 2.0

𝐆𝑞

𝐆2

SPDZ[p].Random() 𝒄1 𝒄𝑜 𝒔1 𝒔𝑡 … … Take s linear combinations 𝒄1 𝒄𝑜 … 𝒔𝑗 𝜷1 𝜷𝑜 𝒄1 𝒄𝑜 … 𝒔𝑗 𝜷1 𝜷𝑜

?

mod p mod 2 LSB(

)

Dragoș Rotaru imec-Cosic, Dept. Electrical Engineering 57

daBits – state of the art

RW’19 AORSW’19 RSTV’19

• Proofs for any LSSS and GC
• Concrete efficiency costs
• Avoid cut and choose
• Full system integration
• Remove N party XOR
• Used for maliciously secure

KeyGen protocol.

Dragoș Rotaru imec-Cosic, Dept. Electrical Engineering 58

Conclusions and future work

➢ Can we generate daBits faster? ➢ More interesting examples where these conversions are good will come soon…

Dragoș Rotaru imec-Cosic, Dept. Electrical Engineering 59

Thank you!

Dragoș Rotaru imec-Cosic, Dept. Electrical Engineering 60

• Questions?

Thank you!

• https://ia.cr/2019/207